add home-assistant example
This commit is contained in:
parent
6b9752e04c
commit
a9a5bc6b09
10 changed files with 282 additions and 0 deletions
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
*.qcow2
|
||||||
|
result
|
51
examples/homeassistant/README.md
Normal file
51
examples/homeassistant/README.md
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
# Use a VM to run this example
|
||||||
|
|
||||||
|
Build VM with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nixos-rebuild build-vm --fast -I nixos-config=./configuration.nix -I nixpkgs=.
|
||||||
|
```
|
||||||
|
|
||||||
|
Start VM with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
QEMU_NET_OPTS="hostfwd=tcp::2222-:22" ./result/bin/run-nixos-vm
|
||||||
|
```
|
||||||
|
|
||||||
|
User is `nixos`, password is `nixos`.
|
||||||
|
|
||||||
|
Ssh into VM with `ssh -p 2222 nixos@localhost`.
|
||||||
|
|
||||||
|
If you get into issues with ssh trying too many public keys and failing, try instead: `ssh -o PasswordAuthentication=yes -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no -p 2222 nixos@localhost`.
|
||||||
|
|
||||||
|
For more information about running this example in a vm, see [NixOS_modules#Developing_modules](https://nixos.wiki/wiki/NixOS_modules#Developing_modules).
|
||||||
|
|
||||||
|
For more information about writing tests, see [the manual](https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests).
|
||||||
|
|
||||||
|
Create your secret key which prints the public key used for `admin`:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nix-shell -p age --run 'age-keygen -o keys.txt'
|
||||||
|
```
|
||||||
|
|
||||||
|
Get target host age key which prints the public key used for `vm`:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nix-shell -p ssh-to-age --run 'ssh-keyscan -p 2222 -4 localhost | ssh-to-age'
|
||||||
|
```
|
||||||
|
|
||||||
|
Update `admin` and `vm` keys in sops.yaml.
|
||||||
|
|
||||||
|
Edit secret itself with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nix-shell -p sops --run 'sops --config sops.yaml secrets.yaml'
|
||||||
|
```
|
||||||
|
|
||||||
|
Deploy with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nix-shell -p colmena --run 'colmena apply'
|
||||||
|
```
|
||||||
|
|
||||||
|
Took 12 minutes for first deploy on my machine. Next deploys take about 12 seconds.
|
36
examples/homeassistant/configuration.nix
Normal file
36
examples/homeassistant/configuration.nix
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/vda";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
system.stateVersion = "22.11";
|
||||||
|
|
||||||
|
# As we intend to run this example using `nixos-rebuild build-vm`, we need to setup the user
|
||||||
|
# ourselves, see https://nixos.wiki/wiki/NixOS:nixos-rebuild_build-vm
|
||||||
|
users.users.nixos = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||||||
|
initialPassword = "nixos";
|
||||||
|
};
|
||||||
|
|
||||||
|
security.sudo.extraRules = [
|
||||||
|
{ users = [ "nixos" ];
|
||||||
|
commands = [
|
||||||
|
{ command = "ALL";
|
||||||
|
options = [ "NOPASSWD" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
services.openssh.enable = true;
|
||||||
|
services.openssh = {
|
||||||
|
permitRootLogin = "no";
|
||||||
|
passwordAuthentication = true;
|
||||||
|
};
|
||||||
|
}
|
100
examples/homeassistant/flake.lock
Normal file
100
examples/homeassistant/flake.lock
Normal file
|
@ -0,0 +1,100 @@
|
||||||
|
{
|
||||||
|
"nodes": {
|
||||||
|
"nixpkgs": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1687681650,
|
||||||
|
"narHash": "sha256-M2If+gRcfpmaJy/XbfSsRzLlPpoU4nr0NHnKKl50fd8=",
|
||||||
|
"owner": "nixos",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "1c9db9710cb23d60570ad4d7ab829c2d34403de3",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nixos",
|
||||||
|
"ref": "nixos-unstable",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs-stable": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1687031877,
|
||||||
|
"narHash": "sha256-yMFcVeI+kZ6KD2QBrFPNsvBrLq2Gt//D0baHByMrjFY=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "e2e2059d19668dab1744301b8b0e821e3aae9c99",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "release-23.05",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs_2": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1686628398,
|
||||||
|
"narHash": "sha256-jXEuS/dex59Oon4tll+Jb8aVl6B8HX/aREigHjt2S6E=",
|
||||||
|
"owner": "nixos",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "202850e1a11a939364cef0f326cb1352b3f2d8cd",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nixos",
|
||||||
|
"ref": "master",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": "nixpkgs",
|
||||||
|
"selfhostblocks": "selfhostblocks",
|
||||||
|
"sops-nix": "sops-nix"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"selfhostblocks": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"sops-nix": [
|
||||||
|
"sops-nix"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1687501773,
|
||||||
|
"narHash": "sha256-NtASNHmf+WeVMoGDUk8cMZLEHIOzs9DAaTafWtt9PhY=",
|
||||||
|
"type": "git",
|
||||||
|
"url": "file:///home/timi/Projects/selfhostblocks"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "file:///home/timi/Projects/selfhostblocks"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"sops-nix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": "nixpkgs_2",
|
||||||
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1687398569,
|
||||||
|
"narHash": "sha256-e/umuIKFcFtZtWeX369Hbdt9r+GQ48moDmlTcyHWL28=",
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"rev": "2ff6973350682f8d16371f8c071a304b8067f192",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": "root",
|
||||||
|
"version": 7
|
||||||
|
}
|
43
examples/homeassistant/flake.nix
Normal file
43
examples/homeassistant/flake.nix
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
{
|
||||||
|
description = "Home Assistant example for Self Host Blocks";
|
||||||
|
|
||||||
|
inputs = {
|
||||||
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||||
|
sops-nix.url = "github:Mic92/sops-nix";
|
||||||
|
|
||||||
|
selfhostblocks.url = "/home/timi/Projects/selfhostblocks";
|
||||||
|
selfhostblocks.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
selfhostblocks.inputs.sops-nix.follows = "sops-nix";
|
||||||
|
};
|
||||||
|
|
||||||
|
outputs = inputs@{ self, nixpkgs, sops-nix, selfhostblocks, ... }: {
|
||||||
|
colmena = {
|
||||||
|
meta = {
|
||||||
|
nixpkgs = import nixpkgs {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
};
|
||||||
|
specialArgs = inputs;
|
||||||
|
};
|
||||||
|
|
||||||
|
myserver = {
|
||||||
|
deployment = {
|
||||||
|
targetHost = "localhost";
|
||||||
|
targetPort = 2222;
|
||||||
|
targetUser = "nixos";
|
||||||
|
};
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
./configuration.nix
|
||||||
|
sops-nix.nixosModules.default
|
||||||
|
selfhostblocks.nixosModules.default
|
||||||
|
];
|
||||||
|
|
||||||
|
shb.home-assistant = {
|
||||||
|
enable = true;
|
||||||
|
subdomain = "ha";
|
||||||
|
sopsFile = ./secrets.yaml;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
3
examples/homeassistant/keys.txt
Normal file
3
examples/homeassistant/keys.txt
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
# created: 2023-06-26T21:31:39-07:00
|
||||||
|
# public key: age1a3gukez540dt9p64rrq994487j6awjd063n2jgxtpu6ljv2n0d0qcv8tft
|
||||||
|
AGE-SECRET-KEY-1RE30YJ76UHS0FF3GVL0894SG9J67RRFWT0YQ8K6QGTTS4FDK5QEQRV2436
|
30
examples/homeassistant/secrets.yaml
Normal file
30
examples/homeassistant/secrets.yaml
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
home-assistant: ENC[AES256_GCM,data:SnkutANfqF2KZ6fpg1S4yBoeEbXBGZ97doxgiP7GVcsf/w7t1ajP0z6vJ7idBTKZ51t8vlRGr4Bq3RzLsqUlQpxjdFDcGGe506EDZhMQUvr4bn2C9gc=,iv:YYkHnNBmd8J1GAL4EW+SAlb9ILbIxevmk/yhLrwnchw=,tag:owP/F/NC4WUpUkNhCkAclw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1a3gukez540dt9p64rrq994487j6awjd063n2jgxtpu6ljv2n0d0qcv8tft
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVU0NGVE9ubkFQN2kvK1Vo
|
||||||
|
SHVIaVZrN2VobkpXMzZPVFdHcVVqdlpTeFJzCjBXbHVuUTJ5S0MrNkVRcWFhWVE0
|
||||||
|
MVRDZ0lOWi9ZeFN6WFQxUUhSVlNCbGcKLS0tIE9YWmtmSTFkZU9CWWp6V3g0ejJS
|
||||||
|
RS9oRDdZdGkrNGlCZU12TDBCSEtkTFUKIROyBC1UFg4AHz6LgqwPIaZzeDunQSYB
|
||||||
|
7MiIp74icMSsl3P3r+6K/brQ5e3DPNvdttr6Q1FhGYfEj55xFqcLMg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1qawyldukqyaeexd0zet4gldp5hc4p0ulrnete73k38xexa8m0yvqzswc2v
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0cTY5b3F3WkJjc3NzcW1X
|
||||||
|
SkZxdUdaMkNzQXk2Tng3dHNscFpDR0x0amwwCjhkUGRkRnhiWlZEWVU2UVZseTZh
|
||||||
|
V1FoYjVtd3JIMm8rTHBySThYRWFOMVUKLS0tIDV5ZDRkQitOTFNHOFlYdFEzUUIv
|
||||||
|
R0N4T1BKRGNkOS95Y1Y2MU10cWR5UWcKpiJ3S1aJOR+jUnVS7u1FaSUo828ZJWGA
|
||||||
|
YAjb1G749UxZmUHA7wV4W7oBW3TcBml9HmLyyUjefX6MEPadflp8rQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-06-27T05:02:12Z"
|
||||||
|
mac: ENC[AES256_GCM,data:w/FOB/hc5MUfu0c6+NvLWXG+wNAzD4VZSb44WXXWDxT/Twhb5ASSAXLM6YxCbKGTuug7BiEEPQkBZHEQATuwLmc04R3yKDq4ocyPTI7vbARgwuh/hqw3nAVLi76tH5v2lJLVBFvOzJxB8JBkJgs3VbSlh3APLncvb5+KivPIqis=,iv:zVbMO8zr4uXlZTEin5JsLCos1vOrCKWSDo3Nf3JygXQ=,tag:zMG3D8m2fGa6KMkRrBfffA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.3
|
9
examples/homeassistant/sops.yaml
Normal file
9
examples/homeassistant/sops.yaml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
keys:
|
||||||
|
- &admin age1a3gukez540dt9p64rrq994487j6awjd063n2jgxtpu6ljv2n0d0qcv8tft
|
||||||
|
- &vm age1qawyldukqyaeexd0zet4gldp5hc4p0ulrnete73k38xexa8m0yvqzswc2v
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: secrets.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *admin
|
||||||
|
- *vm
|
7
examples/homeassistant/sshkey
Normal file
7
examples/homeassistant/sshkey
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||||
|
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
||||||
|
QyNTUxOQAAACD7ngEdcDu4UVbe2ZzBhKn2HhPW0PlEmgEpb/kkMieFIwAAAJiBL8xSgS/M
|
||||||
|
UgAAAAtzc2gtZWQyNTUxOQAAACD7ngEdcDu4UVbe2ZzBhKn2HhPW0PlEmgEpb/kkMieFIw
|
||||||
|
AAAECzMZfgJIQJUVgyKZ3IYnEVvwnYXJ8nstc4/g1H41dC/vueAR1wO7hRVt7ZnMGEqfYe
|
||||||
|
E9bQ+USaASlv+SQyJ4UjAAAAEWV4YW1wbGVAbG9jYWxob3N0AQIDBA==
|
||||||
|
-----END OPENSSH PRIVATE KEY-----
|
1
examples/homeassistant/sshkey.pub
Normal file
1
examples/homeassistant/sshkey.pub
Normal file
|
@ -0,0 +1 @@
|
||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPueAR1wO7hRVt7ZnMGEqfYeE9bQ+USaASlv+SQyJ4Uj example@localhost
|
Loading…
Reference in a new issue